feat: add support for insecure CAs in HTTP calls (#86)

feat: add insecure CA support to http client (download/api checks)
snyk · Sep 6, 2022 · 2f797cf · 2f797cf
1 parent 40d5baa
commit 2f797cf
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## [2.0.0] - Unreleased
 ### Changes
+- add support for insecure and custom CAs to download and API checks
+
+## [2.0.0] - v20220905.164345
+### Changes
 - promote language server from BETA to GA
 - announce workspace folder capability correctly
 - disable / enable Snyk Code based on org settings

diff --git a/plugin/src/main/java/io/snyk/languageserver/download/HttpClientFactory.java b/plugin/src/main/java/io/snyk/languageserver/download/HttpClientFactory.java
@@ -1,24 +1,35 @@
 package io.snyk.languageserver.download;
 
+import io.snyk.eclipse.plugin.properties.preferences.Preferences;
+import io.snyk.eclipse.plugin.utils.SnykLogger;
 import io.snyk.languageserver.LsRuntimeEnvironment;
 import org.apache.http.HttpHost;
 import org.apache.http.auth.AuthScope;
 import org.apache.http.auth.UsernamePasswordCredentials;
 import org.apache.http.client.AuthCache;
 import org.apache.http.client.protocol.HttpClientContext;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.conn.ssl.TrustStrategy;
 import org.apache.http.impl.auth.BasicScheme;
 import org.apache.http.impl.client.BasicAuthCache;
 import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.impl.conn.DefaultProxyRoutePlanner;
+import org.apache.http.ssl.SSLContexts;
 import org.eclipse.core.net.proxy.IProxyData;
 
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.SSLContext;
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+
 public class HttpClientFactory {
   private static HttpClientFactory instance;
-  private CloseableHttpClient client;
-  private HttpClientContext context = HttpClientContext.create();;
+  private final HttpClientContext context = HttpClientContext.create();
 
   public static HttpClientFactory getInstance() {
     if (instance == null) {
@@ -28,11 +39,24 @@ public static HttpClientFactory getInstance() {
   }
 
   public CloseableHttpClient create(LsRuntimeEnvironment runtimeEnvironment) {
-    if (client != null) return client;
     var httpClientBuilder = HttpClients.custom();
+
     IProxyData[] proxyData = runtimeEnvironment.getProxyService().select(LsBinaries.getBaseUri());
     var relevantProxyData = getRelevantProxyData(proxyData);
     configure(httpClientBuilder, relevantProxyData);
+
+    if (Preferences.getInstance().isInsecure()) {
+      try {
+        TrustStrategy acceptingTrustStrategy = (certificate, authType) -> true;
+        SSLContext sslContext = SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
+        httpClientBuilder.setSSLContext(sslContext);
+        HostnameVerifier allowAllHosts = new NoopHostnameVerifier();
+        SSLConnectionSocketFactory connectionFactory = new SSLConnectionSocketFactory(sslContext, allowAllHosts);
+        httpClientBuilder.setSSLSocketFactory(connectionFactory);
+      } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
+        SnykLogger.logError(e);
+      }
+    }
     return httpClientBuilder.build();
   }